When you set PHP's open_basedir restriction, PHP will deactivate the realpath cache.
This will decrease the performance of any PHP application which uses
multiple files (include_once
, require_once
) like WordPress,
Drupal and Magento -- just to mention a few.
The decision to deactivate the realpath cache when using open_basedir (and the previous safe_mode) restriction was made when the PHP team fixed CVE-2006-5178. Please see PHP's bug report 52312 for further information.
The realpath_turbo PHP extension, created by Artur Graniszewski, is a workaround:
-
Instead of setting
open_basedir
you will setrealpath_cache_basedir
.Because now
open_basedir
isn't set, PHP will not deactivate the realpath cache. -
When the realpath_turbo extension will be loaded, it will set the
open_basedir
restriction, which won't deactivate the realpath cache which will happen if you set theopen_basedir
restriction in yourphp.ini
.
-
Download the realpath_turbo source code.
-
Extract and compile the extension
$ tar -xaf realpath_turbo* $ cd realpath_turbo* $ phpize $ ./configure $ make # make install
-
Adjust your
php.ini
to load and configure turbo_realpath extension.
; you have to load the extension first
extension=turbo_realpath.so
; realpath_turbo security mode
; Possible values:
; 0 - Ignore potential security issues
; 1 - Disable dangerous PHP functions (link,symlink)
realpath_cache_security = 1
; Set realpath_cache_basedir to whatever you want to set open_basedir to
realpath_cache_basedir = "/var/www/html/drupal:/usr/share/php"
; Disable PHP's open_basedir directive so that the realpath cache won't be
; disabled.
; Remember, turbo_realpath will set this option later to the
; realpath_cache_basedir value.
open_basedir = ""
It is very important to deactivate any PHP function which can be used
to create/manipulate symlinks. If you don't do that, any attacker could
create or manipulate a symlink to bypass the open_basedir
restriction.
But even if you have disabled those functions in PHP you still maybe at risk: If you allow your users to create symlinks because they have shell access, they could do the same.
So it is more than just PHP you have to take care of when you rely on
open_basedir
restriction and want to use realpath_turbo.
Therefore realpath_turbo is not recommended for any shared hosting
environment. Instead of relying on open_basedir
, you should create VMs or
use containers (LXC) to safely separate your users without any performance
degradation.
See http://www.php.net/security-note.php for more information.
-
http://php.webtutor.pl/en/2011/07/01/running-php-on-nfs-new-version-of-turbo_realpath-extension/
-
http://php.webtutor.pl/en/2011/07/12/running-php-on-nfs-version-1-2-of-turbo_realpath-extension/
-
http://php.webtutor.pl/en/2013/05/13/running-php-on-nfs-version-1-3-of-turbo_realpath-extension/
Patched for PHP7 by Mikk3lRo. No warranties!